Ddos 
In a recent report, Darktrace’s Threat Research team has detailed a sophisticated malware campaign involving the SocGholish loader—a JavaScript-based first-stage malware now weaponized by ransomware affiliates. The research, published in early 2025, reveals how attackers are using SocGholish not just to gain initial access but to establish long-term persistence and lateral movement within corporate networks, ultimately leading to ransomware deployment.
SocGholish, in operation since at least 2017, is most famously associated with fake browser update scams delivered via compromised websites. According to the report:
“Threat actors often target outdated or poorly secured CMS-based websites like WordPress… Through unpatched plugins… they inject malicious JavaScript into the site’s HTML, templates or external JS resources.”
Darktrace observed threat actors compromising websites and redirecting unsuspecting users to fake browser update pages. These pages deliver ZIP files containing JavaScript-based loaders. One noted case involved a victim visiting garagebevents[.]com, triggering a download of 10 MB of suspicious content.
Once triggered, SocGholish uses obfuscated code to connect with Keitaro TDS (Traffic Distribution Systems) domains such as:
- packedbrick[.]com
- rednosehorse[.]com
- blackshelter[.]org
- blacksaltys[.]com
These domains serve malicious scripts which redirect to final payload delivery endpoints. Darktrace notes:
“The device connected to the compromised website, which then retrieved JavaScript code from the Keitaro TDS domains… successfully completing SocGholish’s distribution.”
SocGholish doesn’t stop at entry. Once embedded, it initiates internal credential harvesting campaigns, abusing legacy protocols such as WebDAV and SCF files over SMB.
- WebDAV Abuse: Attackers leveraged the Web Distributed Authoring and Versioning (WebDAV) protocol to prompt NTLM authentication: “Despite the session failures… the WebDAV server was still likely able to retrieve the user’s NTLM hash… which can later be used by the adversary to crack the password offline.”
- SCF File Trickery: In another instance, attackers planted .scf files named Thumbs.scf across internal shares: “These files… can be executed implicitly when a user simply opens a folder containing the file – no clicks required… Windows will automatically attempt to load the icon… and initiate NTML authentication.”
This passive exploitation allows adversaries to harvest credentials simply through user interaction with shared folders.
After establishing a foothold, SocGholish connects over TLS/SSL (port 443) to its command-and-control (C2) infrastructure, but the activity doesn’t end there.
“This set of connections would precede a second set… linked to RansomHub affiliates… facilitating the deployed Python-based backdoor.”
To evade detection, attackers employed port-hopping—rapidly shifting across ports such as 2308, 2311, 2313, and more—on the same destination IP to obfuscate C2 traffic.
Related Posts:
- CVE-2023-48788 Exploited: Researcher Details Cyberattacks on Fortinet EMS
- SocGholish Malware: The Silent Threat Lurking in Fake Browser Updates
- SocGholish Malware Facilitates RansomHub Distribution
- SocGholish Campaign Targets Business Networks via Fake Browser Updates
- SocGholish and RansomHub: Sophisticated Attack Campaign Targeting Corporate Networks
Donate